RUNDLL32.ORG

Analysis of the Green Dam Censorware System

a@b.com (rundll32) — Fri, 12 Jun 2009 13:44:23 +0800

Summary We have discovered remotely-exploitable vulnerabilities in Green Dam, the censorship software reportedly mandated by the Chinese government. Any web site a Green Dam user visits can take control of the PC.

...

Microsoft Sets Record With Monster Patch Tuesday

a@b.com (rundll32) — Fri, 12 Jun 2009 08:17:35 +0800

Microsoft today issued 10 security updates that patched a record 31 vulnerabilities in Windows, Internet Explorer, Excel, Word, Windows Search and other programs, including 18 bugs marked 'critical.' Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE. The total bug count was the most patched by Microsoft in a single month since the company began regularly scheduled updates in 2003. The previous record of 26 vulnerabilities patched occurred in both August 2008 and August 2006. 'This is a very broad bunch,' said Wolfgang Kandek, CTO at Qualys, 'compared to last month, which was really all about PowerPoint. You've got to work everywhere, servers and workstations, and even Macs if you have them. It's not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.

...

Green Dam-Youth Escort

a@b.com (rundll32) — Thu, 11 Jun 2009 09:55:55 +0800

"Green Dam" utilizes the Winsock2 SPI port to obtain data from both sender and recipient, and through analyzing these data, obtains http data. Having obtained http data protocol and run through a URL detector, a harmful URL detector and a keyword detector, Green Dam decides based on those results whether or not image detection is needed, and through image detection, addresses of websites containing harmful information are delivered to system management.

What's the suspicious Rundll32.exe process

a@b.com (rundll32) — Wed, 13 May 2009 12:04:11 +0800

When you open Task Manager, you may see Rundll32.exe entry in the Processes tab. Or, you may also encounter a rundll32.exe error at shutdown. Rundll32.exe is a valid system file which executes a DLL. The actual command may be Rundll32.exe filename.xxx, , whereas Task Manager reports only the command name and not it's parameter.

...

How Rundll Works

a@b.com (rundll32) — Fri, 08 May 2009 11:21:33 +0800

How Rundll Works

Rundll performs the following steps:

It parses the command line.
It loads the specified DLL via LoadLibrary().

Determining which modules are being executed by Rundll.32.exe

a@b.com (rundll32) — Wed, 15 Apr 2009 08:15:50 +0800

The Windows XP tool Tasklist can be used to determine what program modules are currently being executed by rundll32.exe. (For discussion of Tasklist, go to this page.) To create a list of running tasks, open a Command Prompt window and enter the following command:

...

Microsoft reaches RC Milestone with Windows 7 Build 7105

a@b.com (rundll32) — Wed, 08 Apr 2009 14:04:27 +0800

Build numbers have been flying around like crazy as usual but Windows 7 Build 7105 has had many fans scratching their heads over. According to Neowin, Build 7105 is an RC build. The build string is 6.1.7105.0.090404-1235_x86fre_client_en-us_Retail_Ultimate-GB1CULFRER_EN_DVD and the build was compiled on April 4th. According to some screenshots Faikee found, this may very well be the case. The following screenshot was found by Faikee from our forums:

...

Taming Conficker

a@b.com (rundll32) — Wed, 01 Apr 2009 08:08:40 +0800

Conficker virus could be deadly threat – or April Fool's joke

Virus that has infected 10m computers leaves experts baffled.It could be the biggest April Fool's joke ever played on the internet, or it could be one of the worst days ever for computers connected to the network. Security experts can't work out whether the Conficker virus – which has infected more than 10m Windows PCs worldwide – will wreak havoc on Wednesday , or just let the day pass quietly.

...

Windows Rundll and Rundll32 Interface

a@b.com (rundll32) — Mon, 30 Mar 2009 12:56:21 +0800

Rundll vs. Rundll32

Rundll loads and runs 16-bit DLLs, whereas Rundll32 loads and runs 32-bit DLLs. If you pass the wrong type of DLL to Rundll or Rundll32, it may fail to run without indicating any error messages.

...

Mimivirus

a@b.com (rundll32) — Wed, 25 Mar 2009 10:38:31 +0800

Mimivirus is one of the largest and most complex viruses known. The virus was first isolated in 1992 from amoebae growing in a water tower in Bradford. La Scola, B. et al. (2003) A giant virus in amoebae. Science 299: 2033.

...